The high frequency of successful large-scale cyber attacks points to gaps existing in conventional cybersecurity. Though attacks are often blamed on mistakes stemming from human factors, the problems of the current cyber situation go deeper. In this article, I argue that the limitations of the conventional defense lie in its simplistic and generic approach, which enables attackers to bypass them with ease and re-use the same attack strategy on multiple victims. I show how the adoption of Artificial Intelligence can change this scene, by personalizing the defence to the defender, forcing attackers to a different and harder situation.
The increasing spread of technology into all sectors of industry and every aspect of daily life has increased the complexity of our cyber footprint. This phenomenon has brought with it a new challenge to confront: to ensure our safety from cybercrimes. Cyber theft is the fastest-growing category of crime. Nation-state backed cybercriminals are expanding their targets to not only government institutions, but also businesses and industrial facilities.
Cybersecurity is now a determining factor in the success of organizations. Their reputation, return on investment (ROI), and customer satisfaction rates depend on it. In the given circumstances, detecting cyber threats and responding to them on time is a key performance indicator of any realistic cyber defense strategy.
There is a wave of discussions in the cyber defense community regarding the insufficiencies of the signature-based approach, and how attackers have overcome this defense strategy with increased creativity in their techniques. Using AI technologies to upgrade the capabilities of the signature-based method and provide a proactive instead of a reactive defense accompany these discussions.
In this short essay, I am expanding on the contrast between the conventional signature-based or a rule-based defense and the novel AI-based approach. To do so, I am approaching cyber defense from within the framework of anomaly detection. The framework of anomaly detection is a canvas on which the distinction between the conventional and AI-based approaches can be drawn with clarity.
An anomaly is something that deviates from what is standard, typical, or expected. Standards are defined pragmatically, concerning the end-goal or the motivation. For example, an e-commerce company might have different expectations for the behavior of their IT systems than a government organization would have. Anomaly detection is the practice of imposing one’s expectations onto the observations and categorizing them into normal versus abnormal (Figures 1).
Pragmatic reasons impose a hierarchy of importance on assets, where the importance of an asset is determined by its impact on the end-goals. It is where a threat is differentiated from an anomaly. The higher the affected asset in the hierarchy of importance, the more likely an anomaly can turn into a threat (Figure 2). Although it is easy to quantify how much surprise a given event arises through its anomaly score, it is not always straightforward to determine the importance of assets, especially in a complex and deeply intermingled IT infrastructure. For instance, an account depending on its complex relationship with other accounts, assets, and processes could be crucial, but go unnoticed until a successful attack is launched from that seemingly innocent starting point.
In a given organization, let’s say a bank, the highest level goals are the business goals. The business goals depend on IT goals. The IT goals, in turn, require IT security goals. IT security goals imply standards and norms, whether explicit or implicit, that define the anomaly detection map as in Figure 1. Therefore, every IT security team, generally speaking, establishes standards concerning the IT security goals (which are defined in relation to general IT and business goals), collects the relevant pieces of information (ex. audit logs), detects anomalies, quantifies their severity level (impact on the goals) and responds to them on time with minimal side effects.
The classic approach to IT security is to establish norms beforehand and ensure they are obeyed. The expectations take the form of specific rules, policies to be followed (e.g., firewall, proxy laws, thresholds on failed login attempts, etc.), and signatures of malicious files in the wild. Rules, policies, and signatures are subject to change in the light of a new vulnerability exposure or a new cyberattack campaign. In most cases, an event that breaks the policy, rule, or signature can be automatically blocked. If not blocked, then an alarm with severity level given apriori to the broken policy or the affected asset is generated and taken to the attention of the security officer.
The approach above is an explicit formulation of norms. It means that all the expectations are written down somewhere and are expressed precisely and shortly (e.g., block if more than five failed to log in). However, there are always unwritten rules operating behind the scenes that govern all sorts of processes. These rules are implicit, and it is impossible to define them apriori since they emerge as things happen. For example, society operates based on explicitly defined rules (traffic rules, law system, human rights, and other similar protocols) and implicitly expressed rules (moral codes, social instincts, etc.).
Explicit rules are easy to define and modify on demand. Such rules tend to be generic, meaning they are not unique to the organization in question. They treat cyber events atomically, oblivious to their inter-relationships, which results in a high rate of false alarms. An example policy of ‘block if the transaction occurs outside the country of residence’ prevents some fraudulent transactions. However, it comes at the cost of client dissatisfaction when their cards are blocked during their trips. A credit card transaction event has other nuances to it. Answers to “How often the client travels?”, “How much time has passed since the last transaction in the country of residence?” “At which merchant is the transaction happening?” and other similar questions could have led to a smarter decision, therefore reducing the false alarm rate. Adding these nuances, however, takes us to the domain of unwritten rules where we lose the advantages of explicitness and easy maintenance. What is more, discovering such relevant nuances is a challenging task on its own.
To go under the radar, one needs to know about the radar. The radars, in the form of signatures, rules, and policies, as a result of being explicitly defined, are not complicated. The attacker, therefore, does not have much to learn, and he can bypass them with minimal effort. The barriers in one place are relatively close to barriers in another place, allowing attackers to re-use, and even sell their techniques to be used against different victims.
The rule-based approach treats cyber events atomically, ignoring the context within which they exist. The collective detection logic lets attackers hit multiple birds with a single stone. The remedy to the conventional defense is to contextualize traditional rules so that they are more nuanced. This contextualization can be done by extending the reach of collective rules to unwritten rules specific to the organizations, leading to unique, personalized defense logic to each place, creating a web as in Figure 3.
Unwritten rules are holistic, meaning they inter-twine multiple factors spread both in time (patterns emerging in a given duration, for instance, in the form of a seasonality) and space (patterns emerging across events that are coincidental with one another, similar in the credit card transaction case described above). To extract unwritten rules, one needs to analyze event logs. Since such an analysis is an immense undertaking to be done manually, it needs to be automated.
The recent success of AI algorithms, especially in image and audio tasks, is due to their ability to extract patterns from the empirical training data and use the extracted patterns to classify or predict the test data. The same technique can be applied to extract unwritten rules from cyber event logs. These unwritten rules can then be used to enrich the conventional rules, policies, and signatures and build defense barriers unique to the organization. The AI-based approach solves the false alarm problem since rules are more nuanced, and anomalies that would arise in the conventional case are accounted for by referring to the relevant context. The AI-based approach takes away the burden of manual maintenance since an AI algorithm will pick up the changes and reconfigure itself to the new situation automatically. An AI erected radar, analogous to fingerprint-based security systems, is built upon unwritten rules specific and personal to the defender, forcing the attacker to play a more challenging game. The attacker now needs more detailed, in-depth intelligence about the victim, his metaphorical fingerprint, for a successful attack.
The Achilles’ heel of using AI is that extracted patterns are usually not expressible for humans to understand. AI analyzes and correlates more data points than a human operator can handle (AI black box problem). To understand what an AI tool is trying to convey, the operator must know the environment very well. It is harder to take action on the findings generated by an AI tool than policy-based ones. Contrary to policy-based tools where it is precisely clear what rule is broken when the alarm goes off, with an AI detection tool, the root cause of alarm might be tricky to understand since there is a multitude of data points that contribute to the alarm. These inherent constraints make it crucial that these AI tools are operated by human specialists, who have an in-depth understanding of the organization they are working for.
The conventional defense strategy relies on linear reasoning with its explicitly defined, precise rules and policies. The application of AI brings about a non-linear reasoning to defense by learning holistic, unwritten rules that manifest themselves in action. The adoption of AI is a promising way to cope with the creativity of cyberattacks and detect them in action even when they manage to bypass the conventional layer of defense.